[strongSwan] addrblock plugin

Tobias Brunner tobias at strongswan.org
Mon Aug 24 15:55:33 CEST 2015


Hi Noel,

> What format of traffic selectors does the plugin accept in the
> X.509 certificate?

The formats defined in RFC 3779 (basically prefixes and ranges).

> How does the plugin behave when the user on the side, that uses the
> plugin, sets a TS larger than the one permitted by the certificate?
> Does it correctly narrow it to the one allowed by the certificate? 
> Does the plugin make building the CHILD_SA fail if the TS is not
> within the data in the certificate?

The plugin itself doesn't do any narrowing.  After narrowing is
complete it checks the negotiated traffic selectors against the
constraints in the certificate, if any of them conflict the CHILD_SA
fails with TS_UNACCEPTABLE.

Regards,
Tobias


More information about the Users mailing list